The present invention, in some embodiments thereof, relates to a method and a system for security assessment of web applications and services and, more particularly, but not exclusively, to a method and a system for runtime security assessment of web applications and services.
Computer security issues are becoming more widespread as an ever-increasing number of diverse computer applications are developed. Problems such as viruses, worms, rootkits, spyware, and theft are plaguing the population of computer users and web services. Additionally, as the Internet connects more people to each other, it also is fueling security problems because confidential information is more easily compromised, see U.S. Patent Application Publication No. 2008/0244261 filed on Mar. 29, 2007.
In their attempt to address Web application security, Scott and Sharp selected three types of security vulnerabilities they believed to be particularly important: form modification, SQL injection, and cross-site scripting (XSS), see D. Scott, R. Sharp, Abstracting application-level Web security, in: The 11th International Conference on the World Wide Web, Honolulu, Hi., May 2002, pp. 396-407 and D. Scott, R. Sharp, Developing secure Web applications, IEEE Internet Computing 6 (6) (2002) 38-45, which are incorporated herein by reference. They also suggested that form modification is often used in conjunction with other forms of attacks, for example, structured query language (SQL) injection. SQL injection and XSS account for the majority of Web application security vulnerabilities, see M. Curphey, D. Endler, W. Hau, S. Taylor, T. Smith, A. Russell, G. McKenna, R. Parke, K. McLaughlin, N. Tranter, A. Klien, D. Groves, I. By-Gad, S. Huseby, M. Eizner, R. McNamara, A guide to building secure Web applications, The Open Web Application Security Project v.1.1.1, September 2002, which is incorporated herein by reference.
Different methods and systems have been developed for detecting and preventing web application security vulnerabilities. For example, U.S. Patent Application Publication No. 2007/0074188, filed on Mar. 29, 2007, describes methods, software tools and systems for analyzing software applications, e.g., Web applications, are described. A software application to be analyzed is transformed into an abstract representation which preserves its information flow properties. The abstract interpretation is evaluated to identify security vulnerabilities using, for example, type qualifiers to associate security levels with variables and/or functions in the application being analyzed and type state checking. Runtime guards are inserted into the application to secure identified security vulnerabilities. Another example is described in U.S. Patent Application Publication No. 2008/0209567, filed on Feb. 15, 2008 that describes security assessment and security vulnerability testing of software applications is performed based at least in part on application metadata in order to determine an appropriate assurance level and associated test plan that includes multiple types of analysis. Steps from each test are combined into a “custom” or “application-specific” workflow, and the results of each test may then be correlated with other results to identify potential security vulnerabilities and/or faults. Another example is described in U.S. Patent Application Publication No. 2008/0295178, filed on May 24, 2007 that describes a web application receives a user input with a SQL injection attack string that references a function. The application generates a corresponding statement based on the user input string, which the application sends to a database server. Upon receiving the statement, the database server executes the statement that invokes the referenced function. When invoked, the referenced function stores a value. The presence of the stored value indicates that the database server invoked the function. Storing the value indicative of the function invocation identifies a security vulnerability of the web application to SQL injection attacks, since the function reference is introduced solely through user input and function invocation is not intended by the application. This provides proof of SQL injection security vulnerability of the application.